Grant permissions to only specific tables in a Schema

permissionssnowflake

I am having a schema where I wanted to grant permissions in the following manner. What is the right way of doing this? To keep this simple, I am putting an example.

SCHEMA – HR
TABLES:

GEO_EMPLOYEE
GEO_SALARY
REGION_EMPLOYEE
REGION_SALARY

Now, I have two roles HR_EXEC and HR_GEN. The HR_EXEC role will have access to the entire schema which I kind of grant at the schema level. But for the HR_GEN role, I would like to inherit from HR_EXEC role and at the same time have access to schema and all the tables except denied to 'GEO_' tables. How do I do it in a better way? Should I be creating some DENY statements for each 'GEO_' tables in this case? I have 100 tables like this.

I am looking specifically for a SnowSQL based approach here but I guess this concept would be same for any SQL environment.

Best Answer

In the standard SQL there is no way to explicitly exclude some privileges. Some RDBMS have the DENY command (MS SQL Server as an example) to do that.

Related Solutions

Sql-server – Grant access to all objects (with a few exceptions) to a role

The sad truth is that you cannot do anything computerwise about the 'sa' activities. This is because the 'sa' (or a member of the sysadmin server role) are defined to be able to do pretty much anything.

So, of course, you should only have sysadmin's that you can trust to do their best to adhere to the standards for the database. But even the best sysadmin is imperfect. So you might set up some auditing to report on changes made in the database.

(Or, more low tech, periodically check your views for a restricted table name in a view.)

So it depends on what you are concerned about and how much effort you need to put into protecting the secure resources.

In terms of views that expose secure information, you can DENY permissions on a view. Even if a sysadmin created the view, the DENY of the view for those without approval will prevent their access.

Perhaps any high security views could be named something like SecureViewXYZZY so as to emphasize the reason for those views and the restriction of who can use them.

Sql-server – The INSERT/UPDATE/DELETE permission was denied on the object ‘TheTable’, database ‘TheDb’, schema ‘dbo’

Try with the below script. Its works for me.

GRANT SELECT ,UPDATE,DELETE,INSERT ON OBJECT::YourTable  
    TO [Domain\User];  
GO

I tried to the mentioned permission to a user Anoop,in the database MyLab.

GRANT SELECT ,UPDATE,DELETE,INSERT ON OBJECT::Account  
    TO [*MyDomain*\anoop];  
GO

And below is the screen shot after giving the permission.

Best Answer

Related Solutions

Sql-server – Grant access to all objects (with a few exceptions) to a role

Sql-server – The INSERT/UPDATE/DELETE permission was denied on the object ‘TheTable’, database ‘TheDb’, schema ‘dbo’

Related Question